Custom Trojan Creation Tool Sold Online

Finch writes "Net Security.org is reporting on the surprisingly sophisticated 'virus in a can' software called Pinch. Pinch is a tool sold on several online forums and designed to create Trojans. It allows attackers to specify the data that Trojans steal. One of the interface tabs, PWD, allows malicious users to select the type of password to be stolen by the Trojan: from email passwords to passwords kept by the system tools. It is possible to order the Trojan to encrypt this data when sending it, so that nobody else can read it. 'Pinch also lets users carry out other actions: turn infected computers into zombie computers, pack Trojans to make detection more difficult, and kill certain system processes, particularly those of security solutions.'"

"Do-It-Yourself Trojans"

[Fedorpheux]

A great slogan for this program, but I bet our latex buddies have an entirely different interpretation of that...

Re:Scary stuff to be sure

[realmolo]

Eh. Trojans/rootkits/viruses built form these "kits" tend to all be very similar. Essentially, if you defend against one, you're defended against all the others.

Never mind the fact that it's a fucking KIT. If YOU can download it, so can the anti-virus people in order to figure out how to detect viruses made with it.

The interesting thing about modern viruses/trojans/whatever is that very few of them are really *viruses* anymore. They rely almost completely on simply getting a user to manually run (or at least give permission to the system to run) an obfuscated executable. It's sad that the technique is so successful.

Re:Torrent?

[PCM2]

apparently two out of three pinch downloads was infected with "Win32/PSW.LdPinch.P4 trojan"

Did you stop to think that maybe the construction set was identified as a Trojan because it ... you know ... contained the code for a Trojan? As in ... if it tripped your antivirus then you probably had the right one.

Mod me flamebait, but

[postbigbang]

Since I have to take care of a lot of machines of people that get these things, my otherwise non-violent nature would like to find the authors, well, in a Turkish prison. Yes these things have been sold on the net for a long damn time, but I've also had to scrape, reformat, debug, and otherwise keep hapless unwitting people from the damage these things do. They're often chained to using Windows whether they want to or not.

I've seen them spend hundreds of dollars on both prevention and cure, only to get owned again. This isn't about Microsoft, this is about guys that are the seeming equivalent to those that might cut brake lines in a car. The outcome isn't injurious physically, just emotionally/mentally and financially.

My hacker instinct says always continue to hack and explore and try and break things, but selling trojans seems way over the top. No fucking 'let them download Ubuntu or get a second mortgage for a Mac' shit. This is real, this is vulgur, and this is a business plan for bright guys gone bad.... and I don't get paid for scraping this crap.

Re:That sounds like fun

[Electrum]

I know you're joking, but what sort of fool would trust the seller with their own CC#?

Why does the card holder care? Your liability is limited to $50 by law, or zero by many card issuers. Merchants are the ones who lose with fraud, not the card holders or the credit card companies. In fact, the card company profits from fraud by hitting the merchant with a charge back fee in addition to reversing the transaction.

Difference between Good and Evil

[HomelessInLaJolla]

I had to modify the following post to take any direct references as I have no way of knowing if you, personally, actually made use of your exploits outside of your own private testing environment...

I guess that's the difference between real tao programmers and script kiddies.

I _could_ have engaged in the same things that script kiddies did, exploiting other people for personal amusement and/or gain, but made a conscious decision not to. I saw the links, I looked at the downloads, the ftp sites, and the web pages. I _could_ have become involved in that sort of thing.

But, and I guess a significant majority of the population is lacking this little definition in their upbringing, I decided that there were far better uses for my intellectual ability... You know, something productive, something which would benefit people, something which didn't rely on targetting and exploiting others' ignorance.

The actions of script kiddies (and don't take this personally because you're part of the greater population) remind me of taking the lunch money from a quadrapalegic.

What's really sick is that most of them got a real kick out of it--and they're the asshats that I'll have to work next to in the professional world.